On August 25, 2017, the FTC released its fifth “Stick with Security” principal, which focused on how companies can protect their virtual “entrances and exits” and make life harder for hackers.
The FTC believes that the kind of attention businesses maintain for their brick-and-mortar operations, such as alarm systems and key card access, should also be applied to computer systems. Two tips are offered:
Segment Your Network
The FTC defines segmenting a network as separating areas on a network that are “protected by firewalls configured to reject unnecessary traffic.” Even though technology gives companies the option to link all devices (computers, laptops, smartphones etc.) together, it may be prudent to create separation when sensitive data is involved. For example, the FTC recommends implementing a firewall to separate corporate website data from confidential client information. To help illustrate what not to do, the FTC offers two problematic scenarios. In one, a regional retail chain permits unrestricted data connectivity across its stores and a hacker detects a security lapse in one store’s network. Due to the lack of segmentation, the hacker is able to exploit the “one sesame” aspect of the company’s system and now has access to sensitive data. In another scenario, a company segments its network between sensitive and non-sensitive information, but undermines this firewall because the credentials to the sensitive side are accessible from the non-sensitive side. Again, the lack of segmentation creates a vulnerability.
Monitor Activity on Your Network
The same tools that warn companies about unauthorized network access attempts and installing malicious software can also be used to alert them when data is being “exfiltrated,” or transferred out of a system, in a suspicious way. If a company has tools that detect when confidential data is accessed outside a normal pattern and can alert IT to this, it is in a better position, for example, to catch a rogue employee in the act of stealing sensitive consumer information. When installing an intrusion detection system, ensure that it monitors both entry into networks and outgoing connections. Assign IT personnel to regularly check-in and oversee the system for anomalous patterns of activity on the network.